Firmware is unpacked so now it's time to decide what are we trying to do with it. Let's start with simple things. Guys from http://voip-info.org wandered if it was possible to have root access to phone. Since there is Unix running on the phone, there should be a passwd file somewhere. Begin with cutting signature out from file.
$./unsign.pl jar41sip.8-3-0-50.sbn cnu jar41sip.8-3-0-50.sbn-unsigned Found signature offset: 408
Now unpack the file:
./fpu.pl --unpack --input-file jar41sip.8-3-0-50.sbn-unsigned No --output-dir specified, assuming ./jar41sip.8-3-0-50.sbn-unsigned-unpacked Extracted /bin/ciscoerror.png to ./jar41sip.8-3-0-50.sbn-unsigned-unpacked/bin/ciscoerror.png Extracted /bin/ciscoreboot.png to ./jar41sip.8-3-0-50.sbn-unsigned-unpacked/bin/ciscoreboot.png Extracted /bin/ciscostart.png to ./jar41sip.8-3-0-50.sbn-unsigned-unpacked/bin/ciscostart.png ...SKIP... Extracted /etc/group to ./jar41sip.8-3-0-50.sbn-unsigned-unpacked/etc/group Extracted /etc/passwd to ./jar41sip.8-3-0-50.sbn-unsigned-unpacked/etc/passwd ...SKIP... ./Extracted /ubin/dspVols01 to ./jar41sip.8-3-0-50.sbn-unsigned-unpacked/ubin/dspVols01 Extracted /ubin/Makaha.jar to ./jar41sip.8-3-0-50.sbn-unsigned-unpacked/ubin/Makaha.jar Finished with 0 error(s)
Now we are interested in single file: /etc/passwd:
root:8:0:0:Superuser:/:/bin/nologin syslog:8:1:0:System Logging:/usr:/bin/nologin netwk:8:2:0:Network Admin:/etc/inetd:/bin/nologin security:8:3:1:Security Processes:/usr:/bin/nologin debug:BQTMQYWL:4:256:Debug Shell:/usr/local:/bin/debugsh log:OYPTEZXR:5:256:trace shell:/var:/sbin/strace default:MZPUHGQY:256:256:Default User:/home/default:/bin/sh
After short inspection it becomes clear that those who like pecking in devices without too much efforts applied are unlucky - there is a /bin/nologin shell for root accout. Rest of users, besides default, have special purpose shells and are out of our interest.
Interesting thing, other users have "8" in password field, and telnet login attemts for these accounts result in challenge prompt. Maybe it is possible to answer with some response to login, but I've never seen this authentication scheme before. Anyway, I think there is no way to login with these users while shells are set to /bin/nologin.
What we can do is to create new user with UID=0 or modify existing root account, setting shell and password from default user. Password generation method is not known for me right now (although its constant length == 8 chars and the fact it is stored right in passwd file could be a tip) , so I will copy password and shell from default user to root.
Modified passwd file looks like this:
root:MZPUHGQY:0:0:Superuser:/:/bin/sh syslog:8:1:0:System Logging:/usr:/bin/nologin netwk:8:2:0:Network Admin:/etc/inetd:/bin/nologin security:8:3:1:Security Processes:/usr:/bin/nologin debug:BQTMQYWL:4:256:Debug Shell:/usr/local:/bin/debugsh log:OYPTEZXR:5:256:trace shell:/var:/sbin/strace default:MZPUHGQY:256:256:Default User:/home/default:/bin/sh
Next we should pack directory back to firmware file and upload it to the phone.
Stay tuned!
Comments
0 comments postedPost new comment